One of the easiest ways malicious actors get into sensitive data is through email phishing scams. Typically, they create links that look real, which ultimately point to a place where these attackers access users’ credentials. The links and information come via email, and those who fall for such scams end up clicking through and lead to potential disaster.
A Verizon Data Breach Investigations Report found that, on analysis of over 41,600 security incidents, almost a third of breaches involved phishing. Phishing was present in 78 percent of cyber-espionage incidents. Looking at malware, 94 percent went via email. Email and phishing via email are significant threats to cyber security.
Fortunately, key ways exist for people to spot and avoid these phishing scams. Learning some key points, they can better protect critical information and credentials.
Spotting the Obvious
It is fairly easy to see through unprofessional phishing attempts so long as users slow down and take precautions with their inboxes. By knowing how to identify suspicious aspects, people can avoid many low-tech phishing scams. The trick is to look at areas like email domains, grammar, and links.
Phishers try to emulate legitimate, trusted websites. An allegedly professional email sent from a public email domain should raise a red flag. Your bank, business contact, or other professional organization is unlikely to use Gmail or Hotmail to contact you.
The name of the sender might look legitimate, but that is because senders can choose their display name. Hover over the sender, however, and pay attention to what comes after the @ symbol. The same approach works for links within the email. Hover over the link or otherwise check where it goes, without clicking. If you do not recognize the address, that’s a warning sign.
You should also pay attention to the content of the message. Professional, legitimate senders won’t email you with poor grammar and spelling issues. People who send phishing scams, however, work in bulk. They send automated messages quickly. Unless they are putting in a lot of effort, their messages will often be rushed and poorly worded.
Understand Spear Phishing
While unsophisticated phishing attempts are fairly easily to spot and thus avoid, some attacks are more personal and involved attacks. Known as spear phishing, these attempts target a specific person. They include personal details to lure them in. The email may still appear trustworthy but will employ social engineering techniques to further the chances of intrusion.
Traditional security methods may not stop spear phishing as readily, because scammers customize these emails. Phishers research their targets to get past the initial red flags. They may host malicious files on sites like Dropbox or Google Drive, understanding the techniques to reduce attachment-based attacks.
Often, spear phishing targets high-level staff who are busy and may not have the time to vet an email. Combine that with a personalized approach, and tech that builds trusted IP addresses by sending legitimate emails, and it’s hard to avoid a spear phish. That is why companies need both anti-malware filtering tools and a focus on user behavior.
Educate Employees and Put Skills into Practice
For the end user, training and education is key. IT departments need to invest in changing human behavior, just as much as they invest in filters, antivirus programs, and other tech -based controls. These human controls help slow people down so they can take a measured approach to potential attacks, noticing even highly targeted attacks.
Staff should know not to download attachments or click links from suspicious emails. They should know how to check a sender’s email address and ensure it matches a domain. And they need to be aware of common social engineering practices, so they will be suspicious of messages asking for personal information and credentials.
It is important to develop a process for employees who believe they have been sent a phishing email. Ideally, they would report these messages to IT, which should analyze and verify the details. For example, if an email appears to be from a business partner, IT could call the contact to verify the legitimacy of the message.
Test regularly to gauge staff education and how well the organization is able to avoid phishing. This could highlight areas of weakness before a scammer exploits them. Mock phishing attempts are a useful to ensure that training is hitting the mark without compromising company data. For employees who do click on a pseudo-phishing link, the goal is to re-educate, rather than reproach.
With education, organizations can help combat scammers who often prey on busy, unaware workers via email. Make sure to raise awareness that phishing is a real problem and focus on simple steps everyone can take to reduce risk.
Tor Technologies provides protection against phishing attempts included in their Managed IT Services. Contact us today for more information!